Docker-无法托管 [英] Docker - No route to host
问题描述
当我尝试从容器内的端口连接到另一个容器时,我不成功并获得
When i try and connect to a port from within my container to another container, i am unsuccessful and get,
root@ac1590a59fe5:/opt/f5massupgrade# curl -v https://172.17.0.1:6379
* Rebuilt URL to: https://172.17.0.1:6379/
* Hostname was NOT found in DNS cache
* Trying 172.17.0.1...
* connect to 172.17.0.1 port 6379 failed: No route to host
* Failed to connect to 172.17.0.1 port 6379: No route to host
* Closing connection 0
从Docker主机中成功,
From the docker host I am successful,
[root@docker-host ~]# curl -v https://172.17.0.1:6379/0
* About to connect() to 172.17.0.1 port 6379 (#0)
* Trying 172.17.0.1...
* Connected to 172.17.0.1 (172.17.0.1) port 6379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
如果我检查
If i check the iptables I can see the issue,
[root@docker-host ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
所以我添加以下内容,并且一切正常,
So I add the following and it all works well,
iptables -I INPUT 4 -i docker0 -j ACCEPT
我在这里缺少什么吗?
[root@docker-host ~]# docker version
Client:
Version: 1.9.1
API version: 1.21
Package version: docker-common-1.9.1-40.el7.centos.x86_64
Go version: go1.4.2
Git commit: ab77bde/1.9.1
Built:
OS/Arch: linux/amd64
Server:
Version: 1.9.1
API version: 1.21
Package version: docker-common-1.9.1-40.el7.centos.x86_64
Go version: go1.4.2
Git commit: ab77bde/1.9.1
Built:
OS/Arch: linux/amd64
谢谢
推荐答案
我们在运行 firewalld $ c的RHEL盒上遇到了此问题$ c>。防火墙阻止容器访问主机(
icmp
流量除外)。
We hit this issue on a RHEL box which was running firewalld
. The firewall was preventing container to host access (other than icmp
traffic).
我们需要将防火墙配置为允许从Docker容器到主机的流量。在我们的案例中,容器位于子网 172.27.0.0/16
上的桥接网络中(通过 docker network ls
确定)和 docker inspect< network-name>
)。可以通过以下方式更新 firewalld
的防火墙规则:
We needed to configure the firewall to allow traffic from the docker containers through to the host. In our case, the containers were in a bridge network on subnet 172.27.0.0/16
(determined via docker network ls
and docker inspect <network-name>
). Firewall rules for firewalld
can be updated via:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.27.0.0/16 accept'
firewall-cmd --reload
这是一个有用的参考在解决该问题中。
This was a useful reference in resolving the issue.
这篇关于Docker-无法托管的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!